Thomas Claburn reports via The Register: A security researcher in Germany has been fined $3,300 for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere as Hendrik H. was troubleshooting software for a customer of IT services firm Modern Solution GmbH. He discovered that the Modern Solution code made an MySQL connection to a MariaDB database server operated by the vendor. It turned out the password to access that remote server was stored in plain text in the program file MSConnect.exe, and opening it in a simple text editor would reveal the unencrypted hardcoded credential.

With that easy-to-find password in hand, anyone could log into the remote server and access data belonging to not just that one customer of Modern Solution, but data belonging to all of the vendor's clients stored on that database server. That info is said to have included personal details of those customers' own customers. And we're told that Modern Solution's program files were available for free from the web, so truly anyone could inspect the executables in a text editor for plain-text hardcoded database passwords. The contractor's findings were discussed in a June 23, 2021 report by Mark Steier, who writes about e-commerce. That same day Modern Solution issued a statement [PDF] -- translated from German -- summarizing the incident [...]. The statement indicates that sensitive data about Modern Solution customers was exposed: last names, first names, email addresses, telephone numbers, bank details, passwords, and conversation and call histories. But it claims that only a limited amount of data -- names and addresses -- about shoppers who made purchases from these retail clients was exposed. Steier contends that's incorrect and alleged that Modern Solution downplayed the seriousness of the exposed data, which he said included extensive customer data from the online stores operated by Modern Solution's clients.

In September 2021 police in Germany seized the IT consultant's computers following a complaint from Modern Solution that claimed he could only have obtained the password through insider knowledge â" he worked previously for a related firm -- and the biz claimed he was a competitor. Hendrik H. was charged with unlawful data access under Section 202a of Germany's Criminal Code, based on the rule that examining data protected by a password can be classified as a crime under the Euro nation's cybersecurity law. In June, 2023, a Julich District Court in western Germany sided with the IT consultant because the Modern Solution software was insufficiently protected. But the Aachen regional court directed the district court to hear the complaint. Now, the district court has reversed its initial decision. On January 17, a Julich District Court fined Hendrik H. and directed him to pay court costs.

An anonymous reader quotes a report from Ars Technica: Last Thursday, HP CEO Enrique Lores addressed the company's controversial practice of bricking printers when users load them with third-party ink. Speaking to CNBC Television, he said, "We have seen that you can embed viruses in the cartridges. Through the cartridge, [the virus can] go to the printer, [and then] from the printer, go to the network." That frightening scenario could help explain why HP, which was hit this month with another lawsuit over its Dynamic Security system, insists on deploying it to printers.

Dynamic Security stops HP printers from functioning if an ink cartridge without an HP chip or HP electronic circuitry is installed. HP has issued firmware updates that block printers with such ink cartridges from printing, leading to the above lawsuit (PDF), which is seeking class-action certification. The suit alleges that HP printer customers were not made aware that printer firmware updates issued in late 2022 and early 2023 could result in printer features not working. The lawsuit seeks monetary damages and an injunction preventing HP from issuing printer updates that block ink cartridges without an HP chip. [...]

Unsurprisingly, Lores' claim comes from HP-backed research. The company's bug bounty program tasked researchers from Bugcrowd with determining if it's possible to use an ink cartridge as a cyberthreat. HP argued that ink cartridge microcontroller chips, which are used to communicate with the printer, could be an entryway for attacks. [...] It's clear that HP's tactics are meant to coax HP printer owners into committing to HP ink, which helps the company drive recurring revenue and makes up for money lost when the printers are sold. Lores confirmed in his interview that HP loses money when it sells a printer and makes money through supplies. But HP's ambitions don't end there. It envisions a world where all of its printer customers also subscribe to an HP program offering ink and other printer-related services. "Our long-term objective is to make printing a subscription. This is really what we have been driving," Lores said.

The Seattle Times reports: Concerns have grown in recent weeks about data privacy and the ongoing impacts of a recent Fred Hutchinson Cancer Center cyberattack that leaked personal information of about 1 million patients last November. Since the breach, which hit the South Lake Union cancer research center's clinical network and has led to a host of email threats from hackers and lawsuits against Fred Hutch, menacing messages from perpetrators have escalated.

Some patients have started to receive "swatting" threats, in addition to spam emails warning people that unless they pay a fee, their names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets. Steve Bernd, a spokesperson for FBI Seattle, said last week there's been no indication of any criminal swatting events... Other patients have been inundated with spam emails since the breach...

According to The New York Times, large data breaches like this are becoming more common. In the first 10 months of 2023, more than 88 million individuals had their medical data exposed, according to the Department of Health and Human Services. Meanwhile, the number of reported ransomware incidents, when a specific malware blocks a victim's personal data until a ransom is paid, has decreased in recent years — from 516 in 2021 to 423 in 2023, according to Bernd of FBI Seattle. In Washington, the number dropped from 84 to 54 in the past three years, according to FBI data.
Fred Hutchinson Cancer Center believes their breach was perpetrated outside the U.S. by exploiting the "Citrix Bleed" vulnerability (which federal cybersecurity officials warn can allow the bypassing of passwords and mutifactor authentication measures).

The article adds that in late November, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center "urged hospitals and other organizations that used Citrix to take immediate action to patch network systems in order to protect against potentially significant ransomware threats."

The pandemic may have proved to employeers that remote and flexible-work arrangements were viable — and changed the way we work forever. Axios writes: Just 6 out of 158 U.S. CEOs said they'll prioritize bringing workers back to the office full-time in 2024, according to a new survey released by the Conference Board. Executives are increasingly resigned to a world where employees don't come in every day, as hybrid work arrangements — mixing work from home and in-office — become the norm for knowledge workers. "Maintain hybrid work," was cited as a priority by 27% of the U.S. CEOs who responded to the survey, conducted in October and November. A separate survey of chief financial officers by Deloitte, conducted in November, found that 65% of CFOs expect their company to offer a hybrid arrangement this year.

"Remote work appears likely to be the most persistent economic legacy of the pandemic," write Goldman Sachs economists in a recent note. About 20%-25% of workers in the U.S. work from home at least part of the week, according to data Goldman cites. That's below a peak of 47% during the pandemic but well above its prior average of around 3%.

"The battle is over," said Diana Scott, human capital center leader at The Conference Board. "There are so many other issues CEOs are facing." Headlines about CEOs determined to get butts in seats get attention, but they are the exception, says Brian Elliott, the cofounder of Future Forum, a future of work think tank. "There are a lot more CEOs that are actually quietly becoming more flexible...." Though the labor market has softened, employers still do care about keeping employees satisfied — and they don't want to fight with them. "It's not worth the fight," says Elliott.

The Wall Street Journal reports: Moves by Broadcom to shore up its $69 billion VMware acquisition, completed in November, include a streamlining of product bundles and new billing models — efforts in line with the chip giant's past acquisitions, but not necessarily welcomed by all of VMware's customers... Broadcom has also recently laid off at least hundreds of VMware workers, disclosures from the Worker Adjustment and Retraining Notification show....

VMware has approximately 330,000 customers, according to the company. Chief information officers say they are closely monitoring what comes next.

"Any CIO that's not taking stock of what they have and mentally considering alternatives and monitoring what else is out there is probably not doing their job," said Jay Ferro, executive vice president and chief information, technology and product officer at clinical research data-management company Clario. All these changes, plus past remarks by Broadcom that its go-to-market strategy is to focus completely on the needs and priorities of its top 600 customers, has left some CIOs rethinking the relationship. Price increases and degrading levels of support are among their biggest concerns. "I'm not one of their top, probably 600 customers, so they've been very clear to me where I fit in that pecking order," said Todd Florence, CIO of trucking company Estes Express Lines. Florence said he's started looking into alternatives. "It certainly doesn't make you feel good, like you're going to get lots of support going forward...."

Goya Foods CIO Suvajit Basu said he is thinking about how to reduce the food company's reliance on VMware as the sole and longtime dominant provider of virtualization for the data center. "They're going to increase their prices or change their licensing so the customer pays more," he said. "And I think this is starting to hit us right now...." Forrester estimates that in 2024, 20% of VMware customers will begin the process of exiting VMware in favor of alternatives.
On the other hand, a group VP at market researcher IDC tells the Journal that on the upside, now VMware and Broadcom will have to engage more actively with customers on the value of new produces included in their bundles...

In a regulatory filing today, Microsoft said that a Russian intelligence group hacked into some of the company's top executives' email accounts. CNBC reports: Nobelium, the same group that breached government supplier SolarWinds in 2020, carried out the attack, which Microsoft detected last week, according to the company. The announcement comes after new U.S. requirements for disclosing cybersecurity incidents went into effect. A Microsoft spokesperson said that while the company does not believe the attack had a material impact, it still wanted to honor the spirit of the rules.

In late November, the group accessed "a legacy non-production test tenant account," Microsoft's Security Response Center wrote in the blog post. After gaining access, the group "then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," the corporate unit wrote. The company's senior leadership team, including finance chief Amy Hood and president Brad Smith, regularly meets with CEO Satya Nadella. Microsoft said it has not found signs that Nobelium had accessed customer data, production systems or proprietary source code.

The U.S. government and Microsoft consider Nobelium to be part of the Russian foreign intelligence service SVR. The hacking group was responsible for one of the most prolific breaches in U.S. history when it added malicious code to updates to SolarWinds' Orion software, which some U.S. government agencies were using. Microsoft itself was ensnared in the hack. Nobelium, also known as APT29 or Cozy Bear, is a sophisticated hacking group that has attempted to breach the systems of U.S. allies and the Department of Defense. Microsoft also uses the name Midnight Blizzard to identify Nobelium. It was also implicated alongside another Russian hacking group in the 2016 breach of the Democratic National Committee's systems.

Google researchers say they have evidence that a notorious Russian-linked hacking group -- tracked as "Cold River" -- is evolving its tactics beyond phishing to target victims with data-stealing malware. From a report: Cold River, also known as "Callisto Group" and "Star Blizzard," is known for conducting long-running espionage campaigns against NATO countries, particularly the United States and the United Kingdom. Researchers believe the group's activities, which typically target high-profile individuals and organizations involved in international affairs and defense, suggest close ties to the Russian state. U.S. prosecutors in December indicted two Russian nationals linked to the group.

Google's Threat Analysis Group (TAG) said in new research this week that it has observed Cold River ramping up its activity in recent months and using new tactics capable of causing more disruption to its victims, predominantly targets in Ukraine and its NATO allies, academic institutions and non-government organizations. These latest findings come soon after Microsoft researchers reported that the Russia-aligned hacking group had improved its ability to evade detection. In research shared with TechCrunch ahead of its publication on Thursday, TAG researchers say that Cold River has continued to shift beyond its usual tactic of phishing for credentials to delivering malware via campaigns using PDF documents as lures.

When Microsoft announced it was baking ChatGPT into its Bing search engine last February, bullish analysts declared the move an "iPhone moment" that could upend the search market and chip away at Google's dominance. "The entire search category is now going through a sea change," Chief Executive Officer Satya Nadella said at the time. "That opportunity comes very few times." Almost a year later, the sea has yet to change. Bloomberg: The new Bing -- powered by OpenAI's generative AI technology -- dazzled internet users with conversational replies to queries asked in a natural way. But Microsoft's search engine ended 2023 with just 3.4% of the global search market, according to data analytics firm StatCounter, up less than 1 percentage point since the ChatGPT announcement.

Bing has long struggled for relevance and attracted more mockery than recognition over the years as a serious alternative to Google. Multiple rebrandings and redesigns since its 2009 debut did little to boost Bing's popularity. A month before Microsoft infused the search engine with generative AI, people were spending 33% less time using it than they had 12 months earlier, according to SensorTower. The ChatGPT reboot at least helped reverse those declines. In the second quarter of 2023, US monthly active users more than doubled year over year to 3.1 million, according to a Bloomberg Intelligence analysis of SensorTower mobile app data. Overall, users were spending 84% more time on the search engine, the data show. By year-end, Bing's monthly active users had increased steadily to 4.4 million, according to SensorTower.

An anonymous reader quotes a report from Wired: As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs -- including Apple, Qualcomm, and AMD chips -- that could allow an attacker to steal large quantities of data from a GPU's memory. The silicon industry has spent years refining the security of central processing units, or CPUs, so they don't leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven't been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York -- based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern. "There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data," Heidy Khlaaf, Trail of Bits' engineering director for AI and machine learning assurance, tells WIRED. "We're looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal."

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target's device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others' data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn't be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response. In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target -- shown on the left -- asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker's device -- shown on the right -- collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code. [...] Though exploiting the vulnerability would require some amount of existing access to targets' devices, the potential implications are significant given that it is common for highly motivated attackers to carry out hacks by chaining multiple vulnerabilities together. Furthermore, establishing "initial access" to a device is already necessary for many common types of digital attacks. The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. Here's what each of the affected companies had to say about the vulnerability, as reported by Wired:

Apple: An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple's M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.
Qualcomm: A Qualcomm spokesperson told WIRED that the company is "in the process" of providing security updates to its customers, adding, "We encourage end users to apply security updates as they become available from their device makers." The Trail of Bits researchers say Qualcomm confirmed it has released firmware patches for the vulnerability.
AMD: AMD released a security advisory on Wednesday detailing its plans to offer fixes for LeftoverLocals. The protections will be "optional mitigations" released in March.
Google: For its part, Google says in a statement that it "is aware of this vulnerability impacting AMD, Apple, and Qualcomm GPUs. Google has released fixes for ChromeOS devices with impacted AMD and Qualcomm GPUs."

An anonymous reader quotes a report from BleepingComputer: Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites.

Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. The stolen data is collected in text files and images, which are stored in archives called "logs." These logs are then uploaded to a remote server to be collected later by the attacker. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community.

The Naz.API is a dataset allegedly containing over 1 billion lines of stolen credentials compiled from credential stuffing lists and from information-stealing malware logs. It should be noted that while the Naz.API dataset name includes the word "Naz," it is not related to network attached storage (NAS) devices. This dataset has been floating around the data breach community for quite a while but rose to notoriety after it was used to fuel an open-source intelligence (OSINT) platform called illicit.services. This service allows visitors to search a database of stolen information, including names, phone numbers, email addresses, and other personal data. The service shut down in July 2023 out of concerns it was being used for Doxxing and SIM-swapping attacks. However, the operator enabled the service again in September. Illicit.services use data from various sources, but one of its largest sources of data came from the Naz.API dataset, which was shared privately among a small number of people. Each line in the Naz.API data consists of a login URL, its login name, and an associated password stolen from a person's device, as shown [here]. "Here's the back story: this week I was contacted by a well-known tech company that had received a bug bounty submission based on a credential stuffing list posted to a popular hacking forum," explained Troy Hunt, the creator of Have I Been Pwned, in blog post. "Whilst this post dates back almost 4 months, it hadn't come across my radar until now and inevitably, also hadn't been sent to the aforementioned tech company."

"They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list."

To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned.

"The ambient light sensors present in most mobile devices can be accessed by software without any special permissions, unlike permissions required for accessing the microphone or the cameras," writes longtime Slashdot reader BishopBerkeley. "When properly interrogated, the data from the light sensor can reveal much about the user." IEEE Spectrum reports: While that may not seem to provide much detailed information, researchers have already shown these sensors can detect light intensity changes that can be used to infer what kind of TV programs someone is watching, what websites they are browsing or even keypad entries on a touchscreen. Now, [Yang Liu, a PhD student at MIT] and colleagues have shown in a paper in Science Advances that by cross-referencing data from the ambient light sensor on a tablet with specially tailored videos displayed on the tablet's screen, it's possible to generate images of a user's hands as they interact with the tablet. While the images are low-resolution and currently take impractically long to capture, he says this kind of approach could allow a determined attacker to infer how someone is using the touchscreen on their device. [...]

"The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale," says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. "However, I would not rule out the significance of targeted collections for tailored operations against chosen targets." But he also points out that, following his earlier research, the World Wide Web Consortium issued a new standard that limited access to the light sensor API, which has already been adopted by browser vendors.

Liu notes, however, that there are still no blanket restrictions for Android apps. In addition, the researchers discovered that some devices directly log data from the light sensor in a system file that is easily accessible, bypassing the need to go through an API. The team also found that lowering the resolution of the images could bring the acquisition times within practical limits while still maintaining enough detail for basic recognition tasks. Nonetheless, Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

Fujitsu has apologized for its role in the British Post Office scandal, acknowledging that its buggy accounting software contributed to the wrongful prosecutions of hundreds of postal employees. From a report: "Fujitsu would like to apologize for our part in this appalling miscarriage of justice," Paul Patterson, co-CEO of Fujitsu's European division, said in a hearing held by the UK Parliament's Business and Trade Committee. "We were involved from the very start. We did have bugs and errors in the system and we did help the Post Office in their prosecutions of the sub-postmasters. For that we are truly sorry."

The committee hearing focused on possible compensation for victims of what has been called "the worst miscarriage of justice in British history." Patterson said that Fujitsu has "a moral obligation" to contribute to the compensation for victims. A BBC report explains that between 1999 and 2015, "more than 900 sub-postmasters and postmistresses were prosecuted for theft and false accounting after money appeared to be missing from their branches, but the prosecutions were based on evidence from faulty Horizon software. Some sub-postmasters wrongfully went to prison, many were financially ruined. Some have since died."

Speaking of cyber attacks, JPMorgan Chase is targeted by hackers trying to infiltrate its systems 45 billion times a day (Warning: source may be paywalled; alternative source) -- twice the rate at which it was attacked a year earlier -- the bank's head of asset and wealth management has said. FT: Speaking at Davos on Wednesday, Mary Erdoes said the bank spent $15bn on technology every year and employed 62,000 technologists, with many focused solely on combating the rise in cyber crime. "We have more engineers than Google or Amazon. Why? Because we have to," she said. "The fraudsters get smarter, savvier, quicker, more devious, more mischievous."

Western lenders have suffered a surge in cyber attacks in the past two years, which has been partly blamed on Russian hackers acting in response to sanctions placed on the country and its banks following its full-scale invasion of Ukraine. But the use of artificial intelligence by cyber criminals has also increased the number of incidents and level of sophistication of attacks. UPDATE 1/18/24: In a statement provided to Slashdot, a JPMorgan spokesperson said: "The 45 billion per day figure measures numerous activities, not just hacking attempts. As updated by Bloomberg, 'Examples of activity can include user log ins like employee virtual desktops, and scanning activity, which are often highly automated and not targeted.'" Bloomberg and FT have updated their articles accordingly.

An increase in cyber attacks on the healthcare sector is jeopardising patient safety, and prompting some governments to publish new cyber security standards. From a report: Publicly disclosed global cyber security breaches between January and September last year showed that the healthcare sector suffered more attacks (241) than any other sector, ahead of government (147), and information technology including software, hardware and IT services (91), according to research by Omdia, a technology research provider. The most common type of cyber breach in healthcare was hacking, followed by supply chain attacks, "phishing" (where cyber criminals pose as legitimate organisations to trick people into disclosing passwords and payment details), and "ransomware," in which hackers use malicious software -- "malware" -- to encrypt data until the victim pays a ransom to unlock it.

"The healthcare sector is such a tempting target [for cyber security criminals] because ... you can put lives at risk," says James Lewis, a cyber security expert at the Center for Strategic and International Studies, a US think-tank. The UK's National Health Service has been hit by significant ransomware attacks. In 2017, the "WannaCry" attack is estimated to have cost the NHS $116.3mn and caused the cancellation of 19,000 patient appointments. Another hacking, in 2022, took down the non-emergency 111 service, and disrupted management systems for mental health services and emergency prescriptions.

An anonymous reader quotes a report from 404 Media: Google search really has been taken over by low-quality SEO spam, according to a new, year-long study by German researchers (PDF). The researchers, from Leipzig University, Bauhaus-University Weimar, and the Center for Scalable Data Analytics and Artificial Intelligence, set out to answer the question "Is Google Getting Worse?" by studying search results for 7,392 product-review terms across Google, Bing, and DuckDuckGo over the course of a year. They found that, overall, "higher-ranked pages are on average more optimized, more monetized with affiliate marketing, and they show signs of lower text quality ... we find that only a small portion of product reviews on the web uses affiliate marketing, but the majority of all search results do."

They also found that spam sites are in a constant war with Google over the rankings, and that spam sites will regularly find ways to game the system, rise to the top of Google's rankings, and then will be knocked down. "SEO is a constant battle and we see repeated patterns of review spam entering and leaving the results as search engines and SEO engineers take turns adjusting their parameters," they wrote. They note that Google, Bing, and DuckDuckGo are regularly tweaking their algorithms and taking down content that is outright spam, but that, overall, this leads only to "a temporary positive effect."

"Search engines seem to lose the cat-and-mouse game that is SEO spam," they write. Notably, Google, Bing, and DuckDuckGo all have the same problems, and in many cases, Google performed better than Bing and DuckDuckGo by the researchers' measures. The researchers warn that this rankings war is likely to get much worse with the advent of AI-generated spam, and that it genuinely threatens the future utility of search engines: "the line between benign content and spam in the form of content and link farms becomes increasingly blurry -- a situation that will surely worsen in the wake of generative AI. We conclude that dynamic adversarial spam in the form of low-quality, mass-produced commercial content deserves more attention."

Google Maps is about to get better at showing directions inside tunnels. A new feature spotted by SmartDroid allows the Android version of the app to use Bluetooth beacons to track your location in areas where GPS signals typically can't reach. The Verge: These beacons transmit Bluetooth signals that give location data to your phone, according to the Google-owned Waze, which already supports the feature. The app then uses this information along with the device's mobile connectivity to "provide real-time traffic data as it would with a typical GPS connection."

Android Authority combed through the code of Edge browser (for Android) to find what may be hints for things to come to Copilot: Microsoft has offered its Copilot AI service (formerly Bing Chat) on mobile devices for a while. The service has long been free to use, allowing you to speak to a chatbot, generate AI images, and more. Now, recent Edge browser updates for Android hint at a so-called Copilot Pro option. [...] But what should you expect from this Pro tier? Fortunately, a string also mentions Copilot Pro perks. This includes access to the latest AI models, priority access for quicker answers, and "high-quality" image generation. Update: Microsoft has officially launched Copilot Pro. The subscription provides access to AI-powered features inside Office apps like Word, Excel, and PowerPoint alongside priority access to the latest OpenAI models, and the ability to build your own Copilot GPT.

With subsidiaries like WebMD and CarsDirect, the digital media company "Internet Brands" has over 5,000 employees — and 20 offices in expensive locations like Seattle, San Francisco, Chicago, and New York City.

Their solution? Create a cheery corporate video on the company's Vimeo account announcing a new (non-negotiable) hybrid return-to-office policy.

SFGate.com calls it "the return-to-office fight's most bizarre corporate messaging yet." Executives from Internet Brands' internet brands are so wide-eyed and declarative, they appear to be at their breaking point in wanting more workers at the office. "Too big of a group hasn't returned," CEO Bob Brisco complains, near the video's opening. The vehicle to deliver that message has it all: rapid jump cuts, odd sound mixing and executives clearly reading their lines from teleprompters. There's plainly faked office b-roll and the obvious use of green screens. There's even some enthusiastic (and awkward) sashaying to the New Orleans classic "Iko Iko" — one wonders if participating employees received compensation.
Interestingly, "Iko Iko" is a song about a collision between two rival tribes, which opens with a threat to "set your flag on fire." But subtitles on the video translate the song's Creole patois word "Jockamo" into the corporate-positive phrase "we mean business." It's like the executives started their brainstorming session by watching 12 music videos, an iMovie editing tutorial and the entirety of "The Office" Season 1. Mixed in with the corporate b-roll of a copy machine spitting out paper and a too-loud video of a hand crushing a Dr. Pepper can, the company's executives sketch out the vibe of a return-to-office plan — though no specifics.
The video ends with CEO Bob Brisco thanking the team, before gently adding "I want to leave you with this. We aren't asking or negotiating at this point. We're informing, of how we need to work together going forward....

"Thank you, in advance, for your help."

The video has since started going viral on Reddit's "Work Reform" subreddit, with a headline calling it a "bizarre and cringe video mocking working from home and threatening employees who continue to avoid the office." (This take drew 1,300 upvotes, and 241 comments, like " 'By the way this is a threat' is a nice way to end it.")

Footage of at least some of the executives was clearly just spliced in front of still photos showing what offices look like. But besides the wooden delivery, what really struck me is how generic all the words were:

• "Working together face-to-face helps us create ideas, faster, and better."

• "We're able to collaborate, and help each other to be better leaders."

• "We're better when we're together, and we need to be our best — to crush our competition." [Footage of the word "competition" being erased from a whiteboard. And then, of someone crushing a Dr. Pepper can...]

jd (Slashdot reader #1,658) shared this story from BleepingComputer. The article notes that "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys."

jd explains that Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself."

From the article: CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key...

In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts...

On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center.

Long-time Slashdot reader Geoffrey.landis writes: Hundreds of British postal workers wrongly convicted of theft due to faulty accounting software could have their convictions reversed, according to a story from the BBC. Between 1999 and 2015, the Post Office prosecuted 700 sub-postmasters and sub-postmistresses — an average of one a week — based on information from a computer system called Horizon, after faulty software wrongly made it look like money was missing. Some 283 more cases were brought by other bodies including the Crown Prosecution Service.
2024 began with a four-part dramatization of the scandal airing on British television, and the BBC reporting today that its reporters originally investigating the story confronted "lobbying, misinformation and outright lies."

Yet the Guardian notes that to this day in English and Welsh law, computers are still assumed to be "reliable" unless and until proven otherwise. But critics of this approach say this reverses the burden of proof normally applied in criminal cases. Stephen Mason, a barrister and expert on electronic evidence, said: "It says, for the person who's saying 'there's something wrong with this computer', that they have to prove it. Even if it's the person accusing them who has the information...."

He and colleagues had been expressing alarm about the presumption as far back as 2009. "My view is that the Post Office would never have got anywhere near as far as it did if this presumption wasn't in place," Mason said... [W]hen post office operators were accused of having stolen money, the hallucinatory evidence of the Horizon system was deemed sufficient proof. Without any evidence to the contrary, the defendants could not force the system to be tested in court and their loss was all but guaranteed.

The influence of English common law internationally means that the presumption of reliability is widespread. Mason cites cases from New Zealand, Singapore and the U.S. that upheld the standard and just one notable case where the opposite happened... The rise of AI systems made it even more pressing to reassess the law, said Noah Waisberg, the co-founder and CEO of the legal AI platform Zuva.
Thanks to Slashdot reader Bruce66423 for sharing the article.